From 68020103af00280393da10039b968c95d68e526c Mon Sep 17 00:00:00 2001 From: Puja Gupta Date: Mon, 6 Mar 2017 15:04:11 -0800 Subject: soc: qcom: Avoid possible buffer overflow in service-locator Fix possible buffer overflow by reading 'resp->total_domains' from the qmi response message since 'resp->total_domains' indicate total number of matching domains found by servreg. 'resp->domain_list_len' indicates the domains that could be sent in one response which should not be greater than 'resp->total_domains'. CRs-Fixed: 2009016 Change-Id: I614561c5f9bc996689129bc098baaffc9b59c377 Signed-off-by: Puja Gupta --- drivers/soc/qcom/service-locator.c | 11 +++++++---- 1 file changed, 7 insertions(+), 4 deletions(-) diff --git a/drivers/soc/qcom/service-locator.c b/drivers/soc/qcom/service-locator.c index 8581ed5..0d6c1d6 100644 --- a/drivers/soc/qcom/service-locator.c +++ b/drivers/soc/qcom/service-locator.c @@ -266,10 +266,9 @@ static int service_locator_send_msg(struct pd_qmi_client_data *pd) if (!domains_read) { db_rev_count = pd->db_rev_count = resp->db_rev_count; pd->total_domains = resp->total_domains; - if (!pd->total_domains && resp->domain_list_len) { - pr_err("total domains not set\n"); - pd->total_domains = resp->domain_list_len; - } + if (!resp->total_domains) + pr_info("No matching domains found\n"); + pd->domain_list = kmalloc( sizeof(struct servreg_loc_entry_v01) * resp->total_domains, GFP_KERNEL); @@ -286,6 +285,10 @@ static int service_locator_send_msg(struct pd_qmi_client_data *pd) rc = -EAGAIN; goto out; } + if (resp->domain_list_len > resp->total_domains) { + /* Always read total_domains from the response msg */ + resp->domain_list_len = resp->total_domains; + } /* Copy the response*/ store_get_domain_list_response(pd, resp, domains_read); domains_read += resp->domain_list_len; -- cgit v1.1